Duqu malware was first seen in late 2011, but a new report says Duqu 2.0 has been detected in the wild and is leveraging...
up to three zero-day vulnerabilities in a new attack campaign.
Kaspersky Labs reported not only that Duqu 2.0 has been found in the wild, but that the malware infected several Kaspersky Labs internal systems in early spring of 2015. Kaspersky Labs claims the attack on its systems was an effort to obtain information on its new security technologies and no customer data has been affected.
Kaspersky said the new version of Duqu was created by the same group responsible for the original Duqu malware. The original shared similarities with Stuxnet code, but Duqu 2.0 apparently takes advantage of up to three zero-day vulnerabilities. Kaspersky said the last of those three vulnerabilities (MS15-061) was patched by Microsoft as part of yesterday's June 2015 Patch Tuesday release.
According to Kaspersky Labs, Duqu 2.0 has been used in attacks in Western, Middle-Eastern, and Asian countries. The group responsible is thought to have nation-state backing because the cost of developing malware based on zero-day vulnerabilities and launching a campaign as wide as this is estimated to be around $50 million, but there are no indications that financial profit is an objective. Additionally, some of the infections appear to have ties to the P5+1 negotiations aimed at preventing Iran from developing nuclear weapons technology.
Tod Beardsley, engineering manager at Boston-based Rapid7 LLC, said Duqu 2.0 has set a new standard for nation-state attack capabilitites.
"After reviewing the technical analysis from Kaspersky, it's safe to say that Duqu 2.0 represents both the state of the art and the minimum bar for cyber operations," Beardsley said. "Even if one doubts that Stuxnet, Duqu and Duqu 2.0 are sourced from well-financed, highly skilled and geopolitically motivated Western nations, Duqu 2.0 is precisely where we should expect any serious national cyber offensive capability to be."
Throughout its report on the Duqu 2.0 malware, Kaspersky Labs appeared amazed at the sophistication of the group responsible, the malware and what it called an "exceptional" attack.
"The philosophy and way of thinking of the Duqu 2.0 group is a generation ahead of anything seen in the APT world," wrote Kaspersky Labs in an FAQ on the new malware. "The Duqu 2.0 malware platform was designed in a way that survives almost exclusively in the memory of infected systems, without need for persistence -- it means the attackers are sure there is always a way for them to maintain an infection -- even if the victim's machine is rebooted and the malware disappears from the memory."
Remove Duqu malware risks
To mitigate risk, Kaspersky advises installing the latest patches from Microsoft, as well as rebooting all network machines, including domain controllers, in order to remove the malware from active memory. Because of the way Duqu 2.0 survives in memory, Kaspersky advises all network computers be rebooted at the same time, as if simulating a power failure, or else the malware can persist and reinfect other machines.
If possible, it is also recommended to run 64-bit Windows on servers, because this would force attackers to use signed drivers for persistence mechanisms.
Ultimately, though, Beardsley warned enterprises that this new level of offensive capability by an attacker should be taken as a sign that security needs to be brought up to par as well.
"If you cannot defend against a Duqu 2.0 style long term campaign, you better not have any data or resources that a national offensive cyber organization will care to compromise," Beardsley said. "Kaspersky has a reputation for being one of the most capable detection and defense organizations in the world, and the fact that they were compromised is a sobering reminder that the gap between offense and defense is, today, massively lopsided in favor of the attacker."
Learn more about the rise of nation-state attacks in 2015.
Continue reading about how Kaspersky Labs handled the Duqu 2.0 cyber attack.